Merge pull request #1341 from zoetrope/specify-nameid-format-in-saml

Add: support for specifying SAML nameid-format
2024-11-07 01:25:16 +00:00 · 2016-10-21 08:17:11 +03:00 · 2016-10-21 08:17:11 +03:00 · 3db0eea921
commit 3db0eea921
parent 880627c69c 9ce211bf09
4 changed files with 12 additions and 1 deletions
--- a/docs/dev/saml.rst
+++ b/docs/dev/saml.rst
@ -13,6 +13,10 @@ and add REDASH_SAML_LOCAL_METADATA_PATH instead of REDASH_SAML_METADATA_URL, eg
 And an optional REDASH_SAML_CALLBACK_SERVER_NAME which contains the
 server name of the redash server for the callbacks from the SAML provider (eg demo.redash.io)

+And if you want to specify nameid format, add REDASH_SAML_NAMEID_FORMAT config value,
+eg urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
+default is urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+
 If you want to specify entityid in AuthnRequest,
 add REDASH_SAML_ENTITY_ID config value, eg http://demo.redash.io/saml/callback

--- a/docs/settings.rst
+++ b/docs/settings.rst
@ -30,6 +30,7 @@ The follow is a list of settings and what they control:
 - **REDASH_SAML_METADATA_URL**: *default ""*
 - **REDASH_SAML_LOCAL_METADATA_PATH**: *default ""*
 - **REDASH_SAML_CALLBACK_SERVER_NAME**: *default ""*
+- **REDASH_SAML_NAMEID_FORMAT**: *default ""*
 - **REDASH_SAML_ENTITY_ID**: *default ""*
 - **REDASH_STATIC_ASSETS_PATH**: *default "../rd_ui/app/"*
 - **REDASH_JOB_EXPIRY_TIME**: *default 3600 * 6*
--- a/redash/authentication/saml_auth.py
+++ b/redash/authentication/saml_auth.py
@ -7,6 +7,7 @@ from redash import settings
 from saml2 import BINDING_HTTP_POST, BINDING_HTTP_REDIRECT, entity
 from saml2.client import Saml2Client
 from saml2.config import Config as Saml2Config
+from saml2.saml import NAMEID_FORMAT_TRANSIENT

 logger = logging.getLogger('saml_auth')

@ -112,7 +113,11 @@ def sp_initiated():
        return redirect(url_for('redash.index'))

    saml_client = get_saml_client()
-    reqid, info = saml_client.prepare_for_authenticate()
+    if settings.SAML_NAMEID_FORMAT != "":
+        nameid_format = settings.SAML_NAMEID_FORMAT
+    else:
+        nameid_format = NAMEID_FORMAT_TRANSIENT
+    reqid, info = saml_client.prepare_for_authenticate(nameid_format=nameid_format)

    redirect_url = None
    # Select the IdP URL to send the AuthN request to
--- a/redash/settings.py
+++ b/redash/settings.py
@ -92,6 +92,7 @@ SAML_ENTITY_ID = os.environ.get("REDASH_SAML_ENTITY_ID", "")
 SAML_METADATA_URL = os.environ.get("REDASH_SAML_METADATA_URL", "")
 SAML_LOCAL_METADATA_PATH = os.environ.get("REDASH_SAML_LOCAL_METADATA_PATH", "")
 SAML_LOGIN_ENABLED = SAML_METADATA_URL != "" or SAML_LOCAL_METADATA_PATH != ""
+SAML_NAMEID_FORMAT = os.environ.get("REDASH_SAML_NAMEID_FORMAT", "")
 SAML_CALLBACK_SERVER_NAME = os.environ.get("REDASH_SAML_CALLBACK_SERVER_NAME", "")

 # Enables the use of an externally-provided and trusted remote user via an HTTP